How Hackers and Scammers Break into iCloud-Locked iPhones
In spring, 2017, a teenager walked up behind a woman leaving the Metro in Northeast Washington DC and put her in a chokehold: "Be quiet," he said. And "delete your iCloud." He grabbed her iPhone 6S and ran away.
Last month, there were a string of similar muggings in Philadelphia. In each of these muggings, the perpetrator allegedly held the victim up at gunpoint, demanded that they pull out their iPhone, and gave them instructions: Disable "Find My iPhone," and log out of iCloud.
In 2013, Apple introduced a security feature designed to make iPhones less valuable targets to would-be thieves. An iPhone can only be associated to one iCloud account, meaning that, in order to sell it to someone else (or in order for a stolen phone to be used by someone new) that account needs to be removed from the phone altogether. A stolen iPhone which is still attached to the original owner's iCloud account is worthless for personal use or reselling purposes (unless you strip it for parts), because at any point the original owner can remotely lock the phone and find its location with Find My iPhone. Without the owner's password, the original owner's account can't be unlinked from the phone and the device can't be factory reset. This security feature explains why some muggers have been demanding passwords from their victims.
The iCloud security feature has likely cut down on the number of iPhones that have been stolen, but enterprising criminals have found ways to remove iCloud in order to resell devices. To do this, they phish the phone's original owners, or scam employees at Apple Stores, which have the ability to override iCloud locks. Thieves, coders, and hackers participate in an underground industry designed to remove a user's iCloud account from a phone so that they can then be resold.
Making matters more complicated is the fact that not all iCloud-locked phones are stolen devices-some of them are phones that are returned to telecom companies as part of phone upgrade and insurance programs. The large number of legitimately obtained, iCloud-locked iPhones helps supply the independent phone repair industry with replacement parts that cannot be obtained directly from Apple. But naturally, repair companies know that a phone is worth more unlocked than it is locked, and so some of them have waded into the hacking underground to become customers of illegal iCloud unlocking companies.
In practice, "iCloud unlock" as it's often called, is a scheme that involves a complex supply chain of different scams and cybercriminals. These include using fake receipts and invoices to trick Apple into believing they're the legitimate owner of the phone, using databases that look up information on iPhones, and social engineering at Apple Stores. There are even custom phishing kits for sale online designed to steal iCloud passwords from a phone's original owner.
Got a tip? You can contact Joseph Cox securely on Signal at +44 20 8133 5190, OTR chat at jfcox@jabber.ccc.de, or email joseph.cox@vice.com.You can contact Jason Koebler securely on Signal at 347-513-3688 or via email: jason.koebler@vice.com.
There are three ways to remove an iCloud account from an iPhone:
- The password to the original owner's iCloud can be entered to remove it, which a hacker could obtain via phishing.
- An Apple Store manager can override iCloud. Scammers can trick Apple Store managers into unlocking a device they don't own.
- The iPhone's CPU can be removed from the Logic Board and reprogrammed to create what is essentially a "new" device (this is very labor intensive and rare. It is generally done in Chinese refurbishing labs and involves stealing a "clean" phone identification number called an IMEI.)
Each of these methods are used to unlock specific devices and resell them, though some methods are far easier and more widely used than others.
"Not every iCloud-locked phone is a stolen device," RootJunky, an instructor at Phonlab, a company that teaches smartphone repair shops about software-related issues in the industry, told Motherboard. "But every method for removing iCloud involves illegal activity."
WHEN THIEVES' HANDS ARE TIED
iPhones are convenient target for thieves because they're worth hundreds of dollars, plentiful, and easy to carry and hide. But thieves can run into several technical obstacles once they get hold of the phone. Many owners use the device's Find My iPhone feature, which lets a customer log into an Apple website and easily see their phone's precise location on a map, as well as remotely lock their device, which makes it much harder to resell, and worth much less than an unlocked, factory-reset phone. Although law enforcement officers can't always act on this information, Find My iPhone has contributed to the arrests of phone thieves. Activation Lock, a related feature, means the phone can only be erased, used, or reactivated upon entering the owner's device pincode or their iCloud password.
To be clear, "iCloud lock" and a device's passcode are two different things. The iPhone passcode will unlock the screen, whereas the iCloud password can be used to remove features such as Find My iPhone, Activation Lock, and to associate the phone with a new Apple account, which is critical when a phone is resold.
There are many listings on eBay, Craigslist, and wholesale sites for phones billed as "iCloud-locked," or "for parts" or something similar. While some of these phones are almost certainly stolen, many of them are not. According to three professionals in the independent repair and iPhone refurbishing businesses, used iPhones-including some iCloud-locked devices-are sold in bulk at private "carrier auctions" where companies like T-Mobile, Verizon, Sprint, AT&T, and cell phone insurance providers sell their excess inventory (often through third-party processing companies.)
"Every method for removing iCloud involves illegal activity."
When the owner of a phone returns it to their cell phone provider as part of a phone upgrade or insurance claim, the employee who collects it is trained to ask that customer to remove iCloud from the device, according to spokespeople from AT&T and T-Mobile. But this doesn't always happen, meaning that carriers and insurance companies get stuck with iCloud-locked phones. Motherboard could not determine whether any carriers currently have the ability to independently remove iCloud lock from iPhones, or whether Apple ever helps carriers remove iCloud at scale. AT&T and T-Mobile ignored specific questions about whether it has the ability to unlock phones, and Sprint and Verizon did not respond to a request for comment. According to two sources in the iPhone refurbishing community who have bought iCloud-locked phones from telecom auctions, mobile carriers want the ability to unlock phones, but Apple likely has little incentive to encourage the secondary market for iPhones.
"The carriers sell a ton of locked devices," one refurbisher who buys phones from private auctions told Motherboard. Motherboard agreed to keep this refurbisher anonymous because they did not want to lose access to private carrier auctions.
Once iCloud-locked devices are back on the market-whether they are legally obtained or stolen-they either need to be stripped for parts, or somehow unlocked.
That's where the hackers come in.
PHISHING FOR CLOUDS
"Which country?" one iPad reseller wrote in a private chat group of iCloud hackers on chat app Telegram that Motherboard gained access to. The message came alongside an image of a device displaying a "This iPad has been lost. Please call me" message.
Every day, members of this 100-strong group chat share tips on how to trick victims into handing over iCloud passwords, upload photos of their successful unlocks, and share Apple-themed stickers. This is where many lost, stolen, or otherwise locked iPhones end up before hackers unlock them and the devices are sold again. The group is a near constant stream of people's phones and the messages left on their iPhone's lock screen.
"This phone is stolen. Please hand it to the police," the message displayed on one iPhone shown in the group, reads.
The iPhones, iPads, and occasional Apple Watch come from all over the world: the United States, Britain, Europe, South America, Southeast Asia, and the Middle East. Some hackers have dozens of targets at a time, according to screenshots of control panels shared in the group chat. The hackers are also global: one said in the chat they were in the Philippines, while a hacking tool developer indicated they were based in Eastern Europe.
An iPhone shared in the hacker group chat. Image: MotherboardWhen trying to resell a stolen or lost iPhone, first the unlocker needs to understand more about the phone they have in their possession. Does it have Find My iPhone enabled? Has the owner already reported it as stolen to Apple? To answer these questions, the hackers often use access to a tool which provides information on phones. Motherboard was not able to confirm the exact database that scammers are using, but tested several online services that returned accurate information about a Motherboard device, including whether Find My iPhone was activated and whether it was reported as lost, stolen or 'clean'.
If someone who is trying to unlock a phone doesn't want to go through the hassle of securing their own lookup access, they can also use a site that provides information on Apple devices for a fee. iFreeiCloud.co.uk can provide reports such as whether a device has been reported as stolen to a carrier for 10 cents each.
Some hackers in the group claim to to have access to Apple's Global Service Exchange, or GSX, a repair database used by the company and some third party Apple Authorized Service Providers and resellers.
"GSX is the Global Service Exchange website used by Retail and Apple Authorized Service Provides to access technical resources, ranging from Apple Service Guides and Troubleshooting tools to Service Technician training," an internal Apple document describing the service obtained by Motherboard reads. Various different employees in Apple Stores, such as those who work at the Genius Bar, automatically have access to GSX, another internal Apple document reads.
Motherboard found several advertisements offering access to GSX accounts or related information online. One was on a bitcoin-focused forum, others were online ads asking potential customers to email them; Motherboard exchanged emails with one person claiming to sell GSX accounts for $199 a piece. Several Twitter users also claimed to be selling access. (Some people advertising GSX accounts on Twitter appear to be scammers, however.) Motherboard also found forum posts of legitimate GSX account holders saying they've received phishing emails designed to steal their GSX login details.
In a novel melding of physical and cybercrime, these black market iPhone resellers rely on special iCloud phishing kits; sets of tools that are crafted to trick a victim into handing over their Apple ID password after thieves have stolen the phone. And these kits are deliberately designed to be easy to use, dramatically lowering the barrier of entry for iPhone thieves and unlockers.
An iPad shared in the hacker group chat. Image: MotherboardDavide Ferro, an independent security researcher who has followed the iCloud phishing community, told Motherboard in an online chat "AppleKit and ProKit in particular are complete suite[s] for the beginner, with support, video, ticketing service." Ferro shared dozens of examples of iCloud phishing kits with Motherboard over several months, including screenshots showing lists of hundreds of phishing targets. As cybersecurity firm Trend Micro pointed out in a report on the underground iPhone trade, AppleKit also supports iPads, Macs, and Apple Watches.
Whereas more generic phishing kits may be used by a hacker for a number of different purposes, perhaps for stealing banking details, email credentials, or online accounts in general, these kits are specifically designed to phish iCloud accounts. The iCloud phishing kits come with templates designed to trick a victim that their iPhone was found. These kits allow a hacker to send SMS messages that appear to come from Apple that could trick a victim into giving up their iCloud credentials, and the kits can even generate fake maps of where the victim's phone has apparently been discovered to further entice them. The kits keep track of a hacker's list of targets, provide notifications on successful phishes, and some require next to no technical setup, according to tutorial videos on how to use them.
"You formulate a fake receipt, take it to the Apple Store, and say 'Hey, I forgot my Apple ID information, but here's a receipt.'"
Once the hackers obtain the iCloud login credentials, they simply enter them into the iPhone, which makes it a fully-functioning device that can be resold and have a new account added to it.
BlackViirus, the developer behind ProKit, told Motherboard in an online chat that his product costs $75, and he uses a network of resellers to distribute the phishing kit further. BlackViirus claims to have over 1,500 customers. Phishing is a scale operation, with some iCloud unlockers claiming to process bulk orders. They often accept payment using PayPal or Skrill, another money transfer service.
Some of the hackers running these phishing kits are not necessarily the brightest hackers in the world. Mustapha Othman, the creator of AppleKit, previously hard-coded a password into his phishing kit, meaning anyone could just pluck that out of his code and log in as an administrator, seeing what each of his customers were up to (Othman did not respond to a request for comment.) Ferro, the independent security researcher, used this to log into AppleKit panels and provided screenshots of victim lists to Motherboard.
A screenshot of an iCloud phishing panel provided by Davide Ferro. Motherboard has redacted the victims' names and email addresses. Image: MotherboardGETTING THE PAPERWORK
Not everyone falls for phishing attacks, so some online iCloud unlocking services have found other ways to remove an account: Social engineering at the Apple Store or via contacting Apple customer support.
An internal Apple document obtained by Motherboard shows that the company has an "iCloud Support App" at Apple Stores that allows employees to look up the iCloud status of any phone, and also allows managers to "request unlock" of a device. According to people in the iCloud unlocking industry as well as those in the security industry who have studied iCloud unlocking, Apple allows managers to remove iCloud from phones if a customer brings in their original receipt proving that they are the owner of the iPhone.
Naturally, this means that some scammers have begun creating fake receipts in order to use social engineering to get Apple itself to unlock a phone. For this, the scammers need editable templates of invoices or receipts from Apple or telecommunications companies, that they then alter to trick Apple, using information that has been obtained from a lookup system.
"You formulate a fake receipt, take it to the Apple Store, and say 'Hey, I forgot my Apple ID information, but here's a receipt,'" Mick Ventocilla, owner of Lakeshore Tech Repair, a smartphone repair shop in Michigan, told Motherboard. Ventocilla says he does not try to unlock iCloud but knows many in the repair industry who do. "They remove it. That's one of the most common ways."
An internal Apple document talking about the iCloud Support App. Motherboard has reconstructed the document rather than publish the original to preserve source anonymity. The language remains intact. Image: MotherboardMotherboard accessed another Telegram chat room that focused just on providing access to copies of carrier receipts. Here, scammers charged around $150 for a single invoice, or a discount if they buy two.
"If you want both T-Mobile and Verizon will be 125$ each," the administrator of the invoice chat room wrote in January.
Another online listing Motherboard found advertises an Apple invoice template for around $300.
Scammers will use Photoshop or similar software to alter the invoice to make it appear to be a legitimate one for the device they're trying to unlock. They keep on top of any changes to the documents as well-some scammers were recently asking for 2019 versions of invoices.
Armed with a legitimate-looking Apple invoice filed with accurate information about the phone such as its IMEI number-a unique, per device identifier code-and its estimated date of purchase, scammers can ask Apple customer support to remove iCloud from the device. Scammers don't always need to go into an Apple store to do this-screenshots shared in the invoice chat room show successful iCloud removals by just conversing with Apple support over email. This likely only works with phones that have not been marked as stolen, however.
While this method can work for phones that can't be successfully phished, it is also considerably more risky-and more labor intensive-than using a premade phishing kit.
"If you want both T-Mobile and Verizon will be 125$ each."
"I admit that I tried the receipt template method and offered it at times. I learned this method has a high success rate, but if you ever get a Apple tech that wants to be a super fucking tech and put on a badge and goes in the back of an Apple store, you are guaranteed 100% fcked," the owner of an iPhone unlocking company posted in a private Facebook group for repair experts last year. "The phone will be flagged in Apple's system as a fraud device and all these Apple employees talk to each other " [alternatively you can] find a very thirsty manager in an Apple store who will accept a bribe to conduct this service for you. Keep in mind depending on the store each manager is only allowed maximum 5/10 iCloud unlocks a day. Then their system is locked for the day."
Apple acknowledged a request for comment several days before publication, but did not provide a statement.
An iCloud phishing email.Outside of their Telegram group chats, the scammers and hackers are loud and brazen, advertising their tools and services on Facebook, Twitter, and Instagram, many openly selling the kits explicitly to break into 'lost' iPhones and others tweeting when they've apparently unlocked a device.
"ONLINE ACCEPTING Fresh or Rejected iPhone in LOST MODE or CLEAN unlock," one iCloud unlocker tweeted recently.
These social media posts are where the underground unlocking market and the legitimate iPhone repair industry meet in an uncomfortable and controversial alliance.
RIGHT TO HACK
Many independent repair companies regularly buy iCloud-locked devices even if they have no intention of trying to unlock them. Even when locked, the phones can be stripped for parts-and because Apple doesn't actually sell parts to repair companies, the repair industry needs to get creative about where it gets parts from. Many companies buy these phones from telecom-industry auctions, but there is also lots of crossover into a grey area where repair companies can't be sure whether they're buying a stolen phone or a legitimately obtained one.
"There's a ton of them for sale out there," Aakshay Kripalani, CEO of the Georgia-based Injured Gadgets repair shop, told Motherboard in a phone call. "Even locked, the hardware on the phones is worth some money. With an iPhone 7 Plus, the rear cameras are worth $50-$80, the charging port is worth $30. You can part the phones out, though it's a bit of a headache, obviously."
Because the phone is worth less as a series of parts than it is as a fully functioning device, and because many iCloud-locked devices aren't actually broken, an iPhone repair shop or refurbisher is naturally going to wonder whether there's simply a way to remove iCloud, so it can resell the phone.
"You are the reason the industry is looked at as an ugly stepchild."
"I can buy an iCloud-locked iPhone X for $220, part it out and make $550 over the course of a few months," Ventocilla said. "But there's a lot of people who pay that $220 and then think, well, if I can remove iCloud I instantly have a $700 device in my hand. And I'm making that money a lot faster."
Ventocilla says that he has bought more than 500 iCloud-locked devices but has not tried to unlock any of them. He also doesn't buy iCloud-locked devices from his customers, preferring to get them from companies that he trusts.
"The way I justify it in my head is, someone is going to use this phone either way and it's better for the environment if I use it for parts than just letting it go to waste," he said. "I don't sit there and unlock iClouds because I don't want to make individual moral calls on whether each phone is legitimate. But there's a huge demand for it."
Apple's implementation of the iCloud lock is a constant frustration for those in the repair industry, who understand that it's an important security feature but believe that Apple could have found a way to prevent legitimately resold devices from being locked.
"I wish that they would just use iCloud lock for devices that are reported lost or stolen," Justin Carroll, owner of FruitFixed, an independent smartphone repair shop in Virginia, told Motherboard. "We've seen it hundreds of times-people bring in perfectly working and capable phones that have nothing wrong with them and we can't do anything for them. We've even had it happen to us, where we give a loaner phone to a customer, they don't remove iCloud, they leave the store, and we have an expensive paperweight. That's incredibly frustrating."
Whether there's a reliable way to do iCloud unlocking is a constant topic of conversation in repair industry forums and Facebook groups. It's become so common that, last month, an admin of one of the largest repair-focused Facebook groups asked "should we ban iCloud unlock from this group?" The overwhelming majority of voters suggested that the topic should be banned altogether. Most independent repair shop owners Motherboard spoke to said that iCloud unlocking is a dark side of the repair world that they worry will prevent them from being taken seriously as a legitimate industry, especially as the industry lobbies for right to repair legislation that would make it easier for them to buy repair parts and diagnostic tools.
"When I'm trying to sit in the room with an enterprise client, an insurance carrier, an OEM, how am I supposed to logically explain to these guys that we deserve the right to be able to work with them?" Michael Oberdick, owner of the Ohio-based iOutlet chain of repair shops and a prominent right to repair advocate said in a public YouTube video posted last month.
"How am I supposed to sit in a room with a Senator of a state and fight for the right to repair and say 'yes we deserve the right to the parts, the diagnostic tools, all the things we need from these manufacturers' when we have people rewriting goddamn iCloud as a business model? I'm sorry, but you're the reason we can't get shit passed," he added. "You are the reason the industry is looked at as an ugly stepchild."
Subscribe to our new cybersecurity podcast, CYBER.